CN102187599A - Security protected non-access stratum protocol operation supporting method in a mobile telecommunication system - Google Patents
Security protected non-access stratum protocol operation supporting method in a mobile telecommunication system Download PDFInfo
- Publication number
- CN102187599A CN102187599A CN2009801409751A CN200980140975A CN102187599A CN 102187599 A CN102187599 A CN 102187599A CN 2009801409751 A CN2009801409751 A CN 2009801409751A CN 200980140975 A CN200980140975 A CN 200980140975A CN 102187599 A CN102187599 A CN 102187599A
- Authority
- CN
- China
- Prior art keywords
- key
- new
- mme
- request message
- place
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
- H04W12/037—Protecting confidentiality, e.g. by encryption of the control plane, e.g. signalling traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/041—Key generation or derivation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
- H04W12/0433—Key management protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W60/00—Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The present invention relates to a method and system for the management of the mobility, the management of an idle mode, the registration management (management of attachment and detachment), and the location management (management of tracking area) of a terminal by using a non-access stratum (i.e., network stratum, hereinafter referred to as "NAS") in a mobile telecommunication network.; To this end, the method for the management of mobility, the management of an idle mode, the registration management, and the location management of a terminal by using a NAS protocol, i.e., messages, according to an embodiment of the present invention, includes a terminal (hereinafter, referred to as "UE") and a mobility management entity (hereinafter, referred to as "MME"), and addresses to a method for efficiently processing security protected NAS messages if received messages are security protected NAS messages, in a case of transmitting or receiving messages serving as EMM (EPS Mobility Management) messages, i.e., mobility management messages, in a network such as an EPS (Evolved Packet System) of 3GPP, when the terminal performs handover in an active mode, performs location management in an idle mode, and registers to a network,; thereby achieving improved efficiency in the mobility management, the position management, and the registration management of a terminal.
Description
Technical field
The present invention relates to be used for the method for the subscriber equipment of management of mobile telecommunication system, specifically, relate to the method for the mobility, position and the login management that are used to utilize the NAS agreement to support subscriber equipment (UE) effectively.
Background technology
As one of representational mobile communication standard tissue, third generation partner plan (3GPP) has developed grouping system (the Evolved Packet System of evolution, EPS) and defined Mobility Management Entity (Mobility Management Entity, MME).For the mobility of the high speed that satisfies such next generation mobile communication system and the safety requirements of reinforcement, proposed to improve the 3G system of the NAS agreement, particularly 3GPP that are used for traditional mobile communication system.
Yet, NAS agreement and be jejune for the accuracy level of the aforementioned functional that provides support and the definition of character based on mobility, position and the login management scheme of the NAS of NAS agreement.And the program of current definition and message can not be operated (malfunctioned) about mobility, position and/or login management in real system, and have produced unclear problem.Therefore, need be to the role's of the program of mobility, position and the login management of effective support NAS agreement, safeguard protection and UE and MME definition.
Summary of the invention
Be used on the NAS message of utilizing safeguard protection such as the mobile communication system of the evolution of 3GPP EPS, protection ground and support the method for mobility, position and login management effectively in order to solve prior art problems, to the invention provides.And, the operation of NAS agreement that the present invention has utilized NAS message definition between UE and the MME.Therefore, the invention provides the method for mobility, position and the login management of the UE that is used to support to use the NAS agreement, even between 3GPP EPS and other wireless access technologys (that is, non-3 GPP system), and in 3GPP EPS.
The invention provides and be used for utilizing non-access aspect (NAS) agreement to support the method for the mobile management of UE, idle pulley management, login management (connecting and the disconnection management) and location management (tracing area management) at mobile communications network.Just, the invention provides and be used to use NAS agreement (that is NAS message) to support the method for mobile management, idle pulley management, login management and the location management of UE.Mobile communication system of the present invention comprises subscriber equipment (UE) and Mobility Management Entity (MME); and proposed to carry out the location management of switching (handover) under the enable mode, idle pulley and during to the login of network, in such as the network of 3GPP EPS, effectively utilize the method for the NAS message of safeguard protection as UE.
According to an aspect of the present invention, the method that is used for handling in mobile communication system the state information of UE comprises: at the UE place, to new MME transmit status conversion request message; MME place new receives old key information from old MME; And, after using old key information analysis request message, send response message to UE at new MME place.Preferably, old key information comprises KSIasme and Kaseme.
Preferably, this method also comprises: at new MME place, send the NAS Security Mode Command message to UE, this NAS Security Mode Command message comprises the new key information that generates when explaining the request message failure; And, send the response of the NAS Security Mode Command message that generates for the new key information that utilizes UE to new MME at the UE place.
Preferably, the new key information that generates by new MME comprise the NAS cryptographic key (NAS cipher key, KNASenc) and Integrity Key (KNAsint); The NAS Security Mode Command message comprises secure identifier (KSI), UE security capabilities, the cryptographic algorithm that will use and integral algorithm; And comprise cryptographic key (KNASenc) and the Integrity Key (KNAsint) that generates based on basic security key (KASME) by the new key information that UE generates by secure identifier (KSI) index of NAS Security Mode Command message.Preferably, this method also comprises: at new MME place, when utilizing old key to explain the request message failure, send user authentication request message, and reply this user authentication request message at the UE place.Preferably, user authentication request message comprises authentication vector (AUTN) and safe key identifier (KSIASME).
Preferably, the state exchange request message is handoff request message, TAU request message and is connected in (disconnection) request message one.
According to another aspect of the present invention, be used for comprising:, utilize new key to carry out the state exchange request message of safeguard protection to new MME transmission at the UE place in the method for mobile communication system process state information; At new MME place, by sending user authentication request message, response status conversion request message to new MME; At new MME place, generate new key and have the NAS Security Mode Command message of new key to the UE transmission; And,, and reply the NAS Security Mode Command message based on the new new key of key information generation of new MME at the UE place.
According to another aspect of the present invention, be used for handling the method for switching and comprise:, send passing on of old key information to new MME and reorientate request message with UE at old MME place in mobile communication system; At the UE place, utilize old key to carry out the TAU request message of safeguard protection to new MME transmission; And, utilize old key to explain the TAU request message at new MME place.Preferably, this method also comprises: at new MME place, when utilizing old key to explain the failure of TAU request message, send user authentication request message, and reply user authentication request message at the UE place; At new MME place, generate new key, and send the NAS Security Mode Command message that has about the information of new key to UE; At the UE place, use the new key information of new MME to generate new key, and reply the NAS safe mode command; And, send the TAU request message that utilizes new key to carry out safeguard protection, and utilize new key handling message at new MME place to new MME at the UE place.
According to another aspect of the present invention, be used for comprising:, utilize old key to carry out the TAU request message of safeguard protection to new MME transmission at the UE place in the position method for updating of mobile communication system processing UE; At new MME place,, and receive old key information to the old MME request information relevant with the old key of UE; And at new MME place, utilize old key to explain the TAU request message, and the TAU that utilizes old key to carry out safeguard protection to the UE transmission accepts message.Preferably, this method also comprises: at new MME place, when utilizing old key to explain the failure of TAU request message, send user authentication request message, and reply user authentication request message at the UE place; At new MME place, generate new key, and send the NAS Security Mode Command message that has about the information of new key to UE; At the UE place,, and reply the NAS safe mode command based on the new new key of key information generation of new MME; And, send the TAU request message that utilizes new key to carry out safeguard protection, and utilize new key handling message at new MME place to new MME at the UE place.
According to a further aspect of the invention, the method that is used for handling in mobile communication system the login of UE comprises: at UE place, utilize old key to carry out the login request message of safeguard protection to new MME transmission; At new MME place,, and receive old key information to the old MME request information relevant with the old key of UE; And, explain login request message, and accept message to the login that the UE transmission utilizes old key to carry out safeguard protection at new MME place.Preferably, this method also comprises: at new MME place, when utilizing old key to explain the login request message failure, send user authentication request message, and reply user authentication request message; At new MME place, generate new key, and send the NAS Security Mode Command message that has about the information of new key to UE; At the UE place,, and reply the NAS Security Mode Command message based on the new new key of key information generation of new MME; And, send the login request message of utilizing new key to carry out safeguard protection, and utilize new key handling message at new MME place to new MME at the UE place.
Beneficial effect
As previously mentioned, the present invention relates in mobile communication system, use the method and system of idle pulley management, login management (connecting and the disconnection management) and the location management (tracing area management) of non-access aspect (NAS) support UE.Use the NAS agreement to support the method for mobile management, idle pulley management, login management and location management to comprise subscriber equipment (UE) and Mobility Management Entity (MME); and when having proposed in to send or to receive EPS mobile management (EMM) as mobile management message such as the network of 3GPP EPS; particularly under enable mode under the switching of UE, the idle pulley under the situation of the login of the location management of UE, UE and network; be used for handling effectively the method for the NAS message of safeguard protection, thereby improve mobility, position and login management efficient.
Description of drawings
Fig. 1 and Fig. 2 illustrate to be used for the structure switched in mobile communication system and the accompanying drawing of operation according to an embodiment of the invention;
Fig. 3 and Fig. 4 illustrate to be used for according to an embodiment of the invention carrying out the structure of location management and the accompanying drawing of operation in mobile communication system;
Fig. 5 and Fig. 6 illustrate the structure of the logging program that is used for UE according to an embodiment of the invention and the accompanying drawing of operation;
Fig. 7 is the mobile management that MME in the mobile communication system according to an embodiment of the invention is shown to Fig. 9, the flow chart of location management and login management program; And
Figure 10 illustrates the flow chart of mobile management, location management and the login management program of UE in an embodiment of the present invention.
Embodiment
With reference to accompanying drawing one exemplary embodiment of the present invention is described in detail.Identical reference number is used in reference to same or analogous part of generation in the accompanying drawings all the time.The known function of institute's combination here and the detailed description of structure will be omitted, to avoid fuzzy theme of the present invention.Following term is to consider that function in the present invention defines, and its implication can change according to user or operator's intention or according to convention.Therefore, the definition of term must be explained based on the whole content of this specification.
In the following description, any one during term " state exchange request message " is meant handoff request message, tracking area update (TAU) request message and is connected (disconnection) request message.The relevant information of safe key that term " old key " is meant and uses in the old MME (serving MME) that UE connected, and term " new key " be meant with will be by the safe key relevant information of UE according to new MME (target MME) use that state exchange connected.
Term " old key information " is meant the information that receives from old MME; and comprise the security information such as basic security key identifier (KSIASME) and basic security key (KASME); and KASME (Key access security management entity; key access security management entity) can comprise the cryptographic key (KNASenc) that is used to encrypt NAS message; the Integrity Key (KNASint) that is used for the integrity protection of NAS message; and the safe key that is used to generate the Node B key (KeNB) of evolution, the Node B key (KeNB) of this evolution is used for the message at wave point place protection AS (access aspect).
Term " user authentication request message " is meant the authentication message that is used for generating new key between new MME and UE, and can comprise certification mark (authentication token, AUTN) (as authentication vector) and secure identifier (KSIASME).
Term " NAS Security Mode Command message " is meant that new MME sends to the message of UE after creating new key, and can comprise that key set index (key set index), conduct are about UE security capabilities, the cryptographic algorithm that will use of the information of the security algorithm that UE supported and the integral algorithm that will use.
The invention provides the NAS agreement that is used for using between UE and the MME and support the method for mobile management, location management and login management in mobile communication system.Though describe at 3GPP EPS system, the present invention can be applied to use other mobile communication system of NAS.
Though the embodiment of Fig. 1 is directed to the situation that has two 3GPP EPS networks, be to use that NAS the present invention can be applied to from 3GPP EPS to another 3GPP EPS, the switching of the UE of 3GPP UMTS network, 3GPPGPRS network, WiMAX network or 3GPP2 Radio Access Network.Support the method for mobile management, location management and login management can be applied to have the mobile communication system of the other types of similar techniques background and channel format according to use according to the present invention NAS agreement, and do not break away from the spirit and scope of the present invention.
Fig. 1 is the view that the switching situation (situation) in the mobile communication system environment according to an embodiment of the invention is shown.In this embodiment, be described with 3GPPEPS.
With reference to figure 1, the node base station of evolution (below, be called E Node B or eNB interchangeably) 112 be positioned at subscriber equipment as the sub-district of the service coverage of eNB (below, be called UE) 110 and set up wireless connections.UE 110 is the terminals via the packet data network of gateway (below, be called service GW or SGW interchangeably) 116 visit such as Internet.In the following description, as the critical network entity of packet data network of the present invention, grouped data network gateway (below, be called PDN GW) 118 roles as home agent (below, be called HA).
Here existence is used at eNB 112 (132) and serves between the GW 116 (136) and ambulant interface and the data path of managing UE between MME114 (134) and service GW 116 (136).In an embodiment of the present invention, UE 110 and MME 114 (134) have the NAS protocol stack, are used to support mobile management, location management, login management and session management.
In an embodiment of the present invention, UE 110 can switch or switch to NW1 from NW2 to NW2143 from NW1141.In an embodiment of the present invention, can there be interface between MME 114 and the MME 134 and between eNB 112 and eNB 132, be used for mobile management, location management and the login of UE 110.
In an embodiment of the present invention, describe the NAS protocol operation that is directed between MME 114 and UE 110, MME is introduced into mobility, position and the session management that is used for UE.Just, be used for the UE 110 of mobility, position and session management and the NAS protocol operation between the MME 114 by evolution so that together with the tightening security property of modification of mobility and conversation management functional.
Fig. 2 illustrates the signaling diagram that is used to utilize the program that the NAS agreement between MME and UE switches in the mobile communication system that makes up according to embodiments of the invention, as shown in fig. 1.
With reference to Fig. 1 and 2, in switching situation, new MME 134 can operate as following three kinds of modes.An embodiment is the situation 2 that comprises the step 151 to 153 of Fig. 2, and wherein new MME 134 uses the security-related information that receives from old MME 114.Another embodiment is corresponding to step 151,153,171 to 179,181,191 and 193 situation 1, except that authentication procedure (171 and 173) and safe mode command program (175 to 181), it also comprises the program that is used to use new security-related information interpretation message.Another embodiment is wherein execution in step 151,153,161,163 and 171 to 181 situation 3, and specifically, when after execution in step 151,153,161 and 163, when step 163 utilizes old safe key to explain that the result of TAU request fails in safety certification, execution in step 171 to 181.
With reference to figure 2,, will pass on the request of reorientating (Forward Relocation Request) message in step 151 serving MME (old MME) 114 and send to target MME (new MME) 134 in situation 2.Here, pass on and reorientate request message and comprise the UE safe context.Pass on when reorientating request message when receiving, target MME 134 will pass on and reorientate response (Forward Relocation Response) message and send to serving MME 114.Then, in step 161, UE 110 sends TAU request (TAU Request) message and gives target MME 134, and this TAU request message carries out safeguard protection by old key.When receiving the TAU request message, target MME uses old key to explain the TAU request message.
As previously mentioned, in the situation 2 of Fig. 2, serving MME (that is the old MME before switching) sends the passing on of UE safe context that comprises target MME (that is, new MME) 134 and reorientates request message.Can comprise the UE safe context.Pass on when reorientating request message when receiving, new MME 134 will pass on and reorientate response message and send to old MME 114.Then, UE 110 will send to new MME 134 by the TAU request message that old key carries out safeguard protection, and this new MME 134 uses old key to explain the TAU request message.
With reference to figure 2, in situation 1, serving MME 114 and target MME 134 execution in step 151 and 153 are passed on to reorientate request message and pass on exchange and are reorientated response message.Next, in step 171, target MME 134 sends to UE 110 with user authentication request (User Authentication Request) message.User authentication request message comprises authentication vector (AUTN) and secure identifier (KSIASME).In response to user authentication request message, in step 173, UE 110 sends to target MME 134 with user authentication response (User Authentication Response) message.When receiving user authentication response message, target MME 134 generates cryptographic key (KNASenc) and Integrity Key (KNASint).
Then, in step 177, the NAS safe mode command (NAS Security Mode Command) that target MME 134 will comprise key set index (KSI), UE security capabilities, cryptographic algorithm, integral algorithm or the like sends to UE 110.When receiving the NAS safe mode command, in step 179, UE 110 generates cryptographic key (KNASint) and Integrity Key (KNASint) based on the KASME by the KSI index.As the result of step 179, target MME 134 shares identical key value with UE 110.Next, in step 181, UE 110 finishes the NAS safe mode (NAS Security Mode Complete) message and sends to target MME 134, and finishes the NAS safe mode command and handle.
Then, UE sends by new key, is the TAU request message that new cryptographic key (KNASenc) or Integrity Key (KNASint) carry out safeguard protection, and target MME 134 uses new key to explain the TAU request message.
As previously mentioned, in the situation 1 of Fig. 2, old MME 114 and new MME 134 exchanges are passed on to reorientate request message and pass on and are reorientated response message.Then, new MME 134 sends the user authentication request message that comprises AUTN and KSIASME to UE 110.In response to user authentication request message, UE sends user authentication response message.When receiving user authentication response message, new MME134 generates cryptographic key (KNASenc) and Integrity Key (KNASint), and the NAS Security Mode Command message is sent to UE 110.At this moment, the NAS Security Mode Command message comprises key set index (KSI), UE security capabilities, cryptographic algorithm, integral algorithm or the like.When receiving the NAS Security Mode Command message, UE 110 generates cryptographic key (KNASint) and Integrity Key (KNASint) based on the KASME by the KSI index, thereby MME 134 shares identical key value with UE 110.Next; UE 110 finishes information with the NAS safe mode and sends to target MME 134; handle so that finish the NAS safe mode command, send by new safe key then, be the new cryptographic key (KNASenc) or the TAU request message of Integrity Key (KNASint) protection.
With reference to figure 2, situation 3 can be the situation that the TAU request message is failed in safety certification in situation 1.That is to say, after execution in step 151,153 and 161, if target MME 134 when step 163 uses old safe key to explain the TAU request message not through safety certification, then target MME 134 and UE 110 are in the processing of step 171 to 181 execution corresponding to situation 2, to generate new safe key and to carry out the NAS safe mode by sharing new safe key.Then, UE 110 sends by new key, is the TAU request message that new cryptographic key (KNASenc) or Integrity Key (KNASint) carry out safeguard protection, and target MME 134 uses new key to explain the TAU request message.
As mentioned above, in the situation 3 of Fig. 2, if via using old safe key to carry out the result that the TAU request message is explained, safety certification is failed, then new MME 134 and UE 110 generate and share new safe key, and use new safe key to handle the TAU request message.
Fig. 3 is the diagrammatic sketch of illustration according to the location management situation in the mobile communication system environment of the embodiment of the invention.In this embodiment, suppose that the mobile communication system is described for 3GPP EPS.
With reference to Fig. 3, the functional entity of mobile communication and structural arrangements environment and Fig. 1's is similar.In Fig. 3, describe and pay close attention to location management function.That is to say, the Fig. 1 that is in activity pattern with UE 110 is different, in the environment of Fig. 3, UE 110 is in idle pulley and is used for conserve power consumption, moves to tracing area 2 (TA2) 243 from tracing area 1 (TA1) 241 after perhaps switching in activity pattern.In this case, need the position of UE be managed.Though tracing area (TA) is accurately positioning UE of unit with the sub-district, it is a kind of notion of management position roughly that is used for.
The signaling diagram of operation that is used for the MME of location management in the mobile communication system that Fig. 4 is an illustration according to the structure as shown in Figure 3 of the embodiment of the invention.In the management scenario of position, new MME 234 can operate in following three kinds of modes.
In the location management situation of situation 2, from step 251 to 259, new MME 234 uses the relevant information of safety that receives from old MME.The location management situation of situation 1 comprises step 251 to 257, step 261 to 269, step 271 and step 181.That is to say that situation 1 also comprises the program that is used to use the relevant information interpretation message of new safety except authentication procedure (step 261 and 263) and safe mode command program (step 265 to 271).In situation 1, when utilizing the old safe context that receives from old MME 214 to explain the trial failure of message, new MME234 and UE 210 carry out authentication and security procedure by step 261 to 271, with generation and shared new security information, and therefore carry out the program of utilizing new security information to send message and utilizing new security information explanation answer message.Situation 3 is wherein to pass through the situation of the message authentication failed of step 251 to 257, and be different from situation 1, when the new safe authentication procedure of needs and when authentication procedure by step 261 to 271 or security procedure failure, in step 291, MME 234 sends positions login refuse information.
The program of situation 1, situation 2 and situation 3 that the operation of the UE be associated with the location management that is used for UE and MME describes is below described in more detail.In situation 2, in step 251, UE 210 will send to new MME 234 by the TAU request message that old key carries out safeguard protection.When receiving the TAU request message, new MME 234 sends to old MME 214 with context request (Context Request) message, to ask the information of relevant UE.In step 257, old MME 214 sends to new MME234 in response to context request message with context response (Context Response) message.Context response information comprises the UE security information, such as basic security key identifier (KSIASME) and basic security key (KASME).Here, KASME (key access security management entity) is used to generate the safe key (KNASenc) of the encipherment protection that is used for NAS message, the enode b key (KeNB) that is used for the NAS Integrity Key (KNASint) of integrity protection and is used to protect access aspect (AS) message.
Next, new MME 234 uses old key to explain the TAU request message (257) that receives from UE 210 in step 251.That is to say, if from UE 210 send to new MME 234, be to utilize old key to carry out safeguard protection as the TAU request message of position log messages, then new MME 234 uses old key to explain the TAU request message in step 257.Here, old key comprises NAS cryptographic key (KNASenc) and NAS Integrity Key (KNASint), is used for protecting the NAS of communication between UE 210 and old MME 214.Next, new MME 234 TAU that will use old key to carry out safeguard protection accepts message and sends to UE 210 (259).
In the situation 2 of the location management of UE, if receive the TAU request message that carries out safeguard protection by old key from UE 210, then new MME 234 sends to old MME 214 to ask the information of relevant UE 210 with context request message.When receiving context request message, the context response information that old MME214 will comprise the security information of the UE such as KSIasme and Kasme sends to new MME 234.New MME 234 uses the old key that carries in the context response information that is sent by old MME 214 to explain from UE 110 and receives the TAU request messages, and the TAU that will use old key to carry out safeguard protection accepts message and sends to UE 210.That is to say; utilize old key to carry out the TAU request message of safeguard protection if receive; then new MME 234 is to the old key information of old MME 214 request UE 210; use old key to explain the TAU request message, and the TAU that will use old key to carry out safeguard protection accept message and send to UE 210 with the login position.
In the situation 1 of the location management that is used for UE, with the mode execution in step 251 to 257 identical with situation 2.If use old key to explain the failure of TAU request message in step 257, then new MME234 sends user authentication request message to UE 210 (261).User authentication request message comprises authentication vector, i.e. AUTN (certification mark, authentication token) and safe key identifier (KSIASME).In response to user authentication request message, UE 210 sends to new MME234 with user authentication response message.
When receiving user authentication response message, new MME 234 generates new security information, i.e. cryptographic key (KNASenc) and Integrity Key (KNASint).Next, new MME 234 sends to UE 210 (267) with the NAS Security Mode Command message.The NAS Security Mode Command message comprises cryptographic key identifier (key set index), UE security capabilities, cryptographic algorithm and integral algorithm.When receiving the NAS Security Mode Command message, UE 210 generates KNASenc and KNASint (269) based on the KASME by the KSI index.As the result of step 269, new MME 234 shares identical cryptographic key value with UE 210.Next, UE 210 finishes message with safe mode and sends to new MME, so that finish NAS safe mode command program (271).When receiving the NAS safe mode when finishing message, new MME 234 accepts message with TAU and sends to UE 210, and this TAU accepts the position login response message that message is to use new cryptographic key (KNASenc) or Integrity Key (KNASint) protection.
If new MME 234 explains by the TAU request message failure of old cryptographic key protection or fails to obtain old key; then new MME 234 generates new safe key (KNASenc and KNASint); and the NAS Security Mode Command message sent to UE 210, thereby UE 210 generates new safe key (KNASenc and KNASint).As the result of NAS safe mode program, new MME 234 shares identical safe key with UE 210.
In the situation 3 of the location management that is used for UE 210, execution in step 251 to 257 and step 261 to 271 by this way: execution in step 261 to 271 when using old key to explain the failure of TAU request message in step 257.Different with situation 2, in situation 3, if the authentication procedure of step 261 and 263 failure, though perhaps authentication procedure success, but any step safe mode command (the Security Mode Command in step 267 to 271, SMC) program makes a mistake, and then UE 210 can have different safe keys with new MME 234.In this case, new MME 234 sends the TAU refuse information to UE (291).
The situation 3 that is being used for position management program, if under the situation of not utilizing old key explanation TAU request message, at new MME and authentification of user between the UE or NAS safe mode procedure failure, then new MME has different safe keys with UE, and therefore new MME sends the TAU refuse information to UE.
Fig. 5 is the diagrammatic sketch of illustration according to UE login scenarios in the mobile communication system environment of the embodiment of the invention.
With reference to figure 5, when UE 310 attempts being connected to network first, can carry out connection (attach) program.Simultaneously, when UE 310 does not need to be connected to the EPS network, can carry out disconnection (detach) program; And when UE 310 has not for a long time not communicated with MME 314 or network operation is determined to cut off when being connected (disconnection), UE 110 can carry out interrupt routine.
Fig. 6 is that UE connects and the signaling diagram of interrupt routine in the mobile communication system that makes up of illustration such as Fig. 5.
With reference to figure 5 and Fig. 6, new MME 334 can be with following three kinds of modes (situation 1 is to situation 3) operation in the UE linker.
In situation 2, can execution in step 351, step 361 to 365 and step 371, and new MME 334 uses the security information that receives from old MME 314.In situation 1, can execution in step 351, step 361 to 365, step 381 to 391 and step 395, and the new security information of use except the safe mode command program of the authentication procedure of step 381 and 383 and step 385 to 391 is explained the program of message.Situation 1 is to use from the old safe context of old MME 314 receptions and explains the situation of message failure, and comprises following program: use authentication and the new security information exchange message of security procedure acquisition and the program of using new security information explanation message by step 381 to 391.Situation 3 is situations of the safety certification failure of message after execution in step 351 and step 361 to 365, and be different from situation 1, when the authentication procedure new safe authentication procedure of needs, that pass through step 381 to 391 or security procedure failure, MME asks to send connection refused message to UE 310 in response to UE login (connecting or disconnection).
Below describe the program of these three kinds of situations in detail.
In the program of situation 2, UE 310 sends to new MME 334 (351) with connection request (Attach Request) message, and this connection request message is to carry out safeguard protection by old key.When receiving connection request message, new MME 334 will discern request (ldentification Request) message and send to old MME 314, with the information (361) of asking relevant UE 310.In response to the identification request message, old MME 314 will discern response (ldentification Response) message and send to new MME 334 (363).The identification response message comprises basic security identifier (KSIASME) and basic security key (KASME) security information as UE.KASME (key access security management entity) is used to generate the safe key (KNASenc) of the encipherment protection that is used for NAS message, the enode b key (KeNB) that is used for the NAS Integrity Key (KNASint) of integrity protection and is used to protect access aspect (AS) message.When receiving the identification response message, new MME 334 uses old key to explain the connection request message (365) that is sent in step 351 by UE 310.Old key comprises NAS safe key (KNASenc) and the NAS Integrity Key (KNASint) that is used for protecting the NAS message that the communication between UE 310 and old MME 314 uses.After using old key explanation connection request message, the connection that new MME 334 will use old key to carry out safeguard protection is accepted message and is sent to UE 310 (371).
In the program of situation 1, with mode execution in step 351 and the step 361 to 365 identical with situation 2.Yet when explaining that in step 365 the old key of use carries out the connection request message failure of safeguard protection, new MME 334 sends the user authentication request message to UE 310 (381).User authentication request message comprises authentication vector, i.e. AUTN (authentication marks) and authenticate key identifier (KSIASME).In response to user authentication request message, UE 310 sends user authentication response message to new MME 334 (383).
When utilizing the authentification of user message successfully to carry out authentification of user, MME 334 generates cryptographic key (KNASenc) and Integrity Key (KNASint) (385).Next, new MME 334 sends to UE 310 (387) with the NAS Security Mode Command message.The NAS Security Mode Command message comprises safe key identifier (key set index), conduct about UE security capabilities, the cryptographic algorithm that will use of the information of the security algorithm that UE supported and the integral algorithm that will use.When receiving the NAS Security Mode Command message, UE 310 generates cryptographic key (KNASenc) and Integrity Key (KNASint) (389) based on the KASME by the KSI index, and the result is with new MME 334 shared identical key values (389).Next, UE 310 finishes message with safe mode and sends to new MME 334, to finish NAS safe mode command program.Then, new MME 334 will accept message by the connection of safe key-be KNASenc or KNASint-protection and send to UE 310 (395) as connecting login response.
In the program of situation 3, execution in step 351, step 361 to 365, step 381 and step 391 by this way: when execution in step 371 to 191 when using old key to explain the result of connection request message, new MME 334 authenticated user failure.Be different from situation 2, in situation 3, when the arbitrary step authentication procedure failure in step 381 and step 383, even perhaps authentication procedure success, but during arbitrary step safe mode command (SMC) procedure failure in step 367 to 391, UE 310 also has different safe keys with new MME 334.In this case, new MME 334 sends to UE 310 (399) with connection refused message.
To describe the such situation of guiding, if promptly receive state-transition message (, switching, TAU and connection (disconnection) request message) here, then new MME receives old key from old MME, and uses old key to explain corresponding request message.Yet MME can generate new key and utilize new key to explain message, and need not to utilize old key to explain the process of message.That is to say, when receiving state-transition message (here, switch TAU, connection (disconnection) request message) time, MME can generate new key to handle request message, and need not request message interpretation process (step 151 of Fig. 2, step 153 and step 163 based on old key, the step 253 of Fig. 4, step 255, step 257 and step 259, and the step 361 of Fig. 6, step 363, step 365 and step 371).
Fig. 7 to 9 is illustration flow charts according to mobility, position and the login management program of MME in the mobile communication system of the embodiment of the invention.Figure 10 is the flow chart of illustration according to mobility, position and the login management program of UE in the mobile communication system of the embodiment of the invention.Though pay close attention to the situation that MME explains the message that is sent by UE with reference to the description that figure 7 to 10 makes, the present invention can be applied to the situation that UE explains the message that is sent by MME, unless operating characteristics is mutually the same.Except the context that the operation for MME shown in Fig. 7 to 10 and UE will exchange, here will be omitted about the detailed description of message.
With reference to figure 7 to 9, the NAS agreement is used for supporting the hypervisor between aforementioned UE and the MME.The NAS agreement comprises the NAS agreement of safeguard protection and does not have the NAS agreement of safeguard protection, and exists EPS mobile management (EMM) NAS message and EPS session management (ESM) NAS message to be used to support EPS NAS agreement.If receive request message (handoff request, TAU request or connect (disconnections) ask), the kind of MME analysis request (401) then, and what depend on reception is which message (i.e. switching, location management, login request message) is operated.
If determine to receive handoff request message in step 401, then program advances to step 411, thereby MME carries out the relevant processing of switching.In an embodiment of the present invention, suppose in the environment of Fig. 1 that UE 110 is from moving to the network N W 2 143 under MME 134 controls at the network N W 1 141 under MME 114 controls.Though, also MME can be transformed into another MME and not change and serve GW for switching, can exist service GW to be switched to the situation of another GW.
Under situation about switching, serving MME (or old MME) 114 sends to target MME by FORWARDRELOCATION REQUEST/RESPONSE (pass on and reorientate request) message with the information of relevant UE.This information comprises the parameter that safety is relevant, i.e. KSI (key set identifier), parameters for authentication or authentication vector, and the safe key that comprises NAS KSI (key set identifier), NAS cryptographic key (KNASenc) or Integrity Key (KNASint).Target MME determines whether to carry out new authentification of user and/or the safe mode command program (413) with UE.If determine new authentication procedure and/or safe mode command (SMC) program of execution and UE, the then safe key of the MME parameter that obtains by authentication procedure or safe mode command program to comprise that new safety is relevant, i.e. KSI (key set identifier), parameters for authentication or authentication vector, NAS KSI (key set identifier) and NAS cryptographic key (KNASenc) or Integrity Key (KNASint).
Therefore; if determine to carry out authentication, SMC or NAS SMC program; then target MME receive TRACKING AREA UPDATE REQUEST (tracking area update request) (below; be called the TAU request) NAS message, this message uses the safe key that comprises NAS KSI (key set identifier), NAS cryptographic key (KNASenc) or Integrity Key (KNASint) from UE to carry out safeguard protection (415).When receiving TAU request NAS message, MME key safe in utilization is explained TAUREQUES message, this safe key comprises the parameter that new safety is relevant, i.e. KSI (key set identifier), parameters for authentication or authentication vector, NAS KSI (key set identifier) and NAS cryptographic key (KNASenc) or Integrity Key (KNASint) (417).
If determine not carry out authentication, SMC and NAS SMC; then MME receives the TAU REQUEST message of using old key to carry out safeguard protection; described old key is included in the security parameter that uses between MME and the UE; that is, from UE all as usual KSI (key set identifier), old parameters for authentication or authentication vector, old NAS KSI (key set identifier) and the old parameter of old NAS cryptographic key (KNASenc) or old Integrity Key (KNASint) and so on.Next, MME uses old safe key to explain TAU REQUEST message, described old safe key is included in the security parameter that uses between MME and the UE, that is, all as usual KSI (key set identifier), old parameters for authentication or authentication vector, old NAS KSI (key set identifier) and the old parameter of old NAS cryptographic key (KNASenc) or old Integrity Key (KNASint) and so on.
If determine to receive TRACKING AREA UPDATE (tracking area update) (below, be called TAU) message in step 401, then program advances to step 431, handles thereby target MME carries out TAUREQUEST.TAU REQUEST message uses old safe key to carry out safeguard protection; described old safe key is included between old serving MME and the UE 110 the old security parameter that uses, such as KSI (key set identifier), old parameters for authentication or authentication vector, old NAS KSI (key set identifier) and old NAS cryptographic key (KNASenc) or old Integrity Key (KNASint).In this case, new MME receives the relevant parameter of safety by CONTEXT RESPONSE (context response) message from old MME.In order to receive security parameter from old MME, new MME must know old MME and UE.That is to say; when receiving TAU REQUEST message in step 431; in order to discern old MME and UE; new MME must know last visit login tracing area sign (Tracking area identity) (TAI) and the UE identifier; it is old global unique temporary identity symbol (GUTI); though carry out safeguard protection, cannot encrypt, thereby new MME can be to old MME request security parameter information.When in step 433 when old MME receives security parameter (NAS KSI, key, parameters for authentication and KSI), new MME utilizes old security parameter (NAS key, parameters for authentication and the KSI of old MME) to explain TAU REQUEST message (435).
Whether next, new MME decision carries out authentication procedure (437).If the integrity checking failure, then new MME carries out authentication procedure.Particularly, when when step 435 safety certification is failed, new MME must carry out authentication procedure in step 439.If carry out authentication, NAS SMC or SMC program in step 439 decision, then new MME will use TAUACCEPT (TAU acceptance) message of new security parameter protection to send to UE (441).Otherwise if do not carry out authentication, NAS SMC or SMC program in step 439 decision, then new MME will use the TAUACCEPT message of old security parameter protection to send to UE (443).
If determine to receive connection request message in step 401, then program advances to step 461, thereby new MME carries out the processing of join dependency.Use old safe key to protect in the ATTACH REQUEST message that step 460 receives; described old safe key is included in the old security parameter that uses between old serving MME and the UE, such as KSI (key set identifier), old parameters for authentication or authentication vector, old NAS KSI (key set identifier) and old NAS cryptographic key (KNASenc) or old Integrity Key (KNASint).In this case, new MME determines whether to have the security parameter (463) of UE 110, and if have, then utilize this security parameter to explain ATTACH REQUEST message (469).If program proceeds to step 469 from step 463, this means that UE has signed in to new MME, but disconnect for a certain reason, and UE shares the relevant parameter of identical safety with MME.If new MME does not have the security parameter of UE, then new MME determines whether and can obtain the relevant parameter (465) of new safety from old MME.If can not obtain the relevant parameter of safety from old MME, then new MME message interpretation failure, and therefore send error message to UE (479).This is to send the message that does not have the message of safeguard protection or resend safeguard protection for UE.
When receiving relevant safely parameter from old MME (467), use the security parameter information that sends by old MME to explain ATTACH REQUEST message at the new MME of step 469.In order to obtain security parameter in step 469 from old MME, new MME must know old MME and corresponding UE when step 461 receives ATTACH REQUEST message.Such information can with about the TAI and the UE identifier of the login of the last visit of GUTI, be that the knowledge of old GUTI obtains, though and by safeguard protection, it cannot be encrypted, thereby new MME can be to old MME request security parameter information.
Next, authentication (471) is carried out in new MME decision, so authentication procedure begins (473), thus, particularly when safety certification when step 469 is failed, new MME is at step 473 execution security procedure.Carry out in step 473 under the situation of authentication, NAS SMC or SMC program, new MME uses new security parameter to send and receives NAS message (475).Do not carry out in step 473 under the situation of authentication, NAS SMC or SMC program, new MME uses old security parameter to send and receives NAS message (477).
Figure 10 is the flow chart of illustration according to the program of mobility, position and the login management of supporting UE in the mobile communication system of the embodiment of the invention.Description pay close attention to be used to generate, send/receive and authenticate the process of NAS message.
With reference to Figure 10, UE determines whether it has safe key, and this safe key comprises available KSI (key set identifier), parameters for authentication or authentication vector, NAS KSI (key set identifier), NAS cryptographic key (KNASenc) or Integrity Key (KNASint) (501).Here, KSI is the identifier of key of the middle use of the authentication procedure between UE and MME, and that parameters for authentication or authentication vector are authentication procedures is necessary.And, NAS KSI is the identifier that is used to distinguish the key that will be used to encrypt NAS message, key is the relevant key of safety, also be UE and MME cipher key shared, utilize NAS message to communicate the relevant key of necessary NAS safety such as UE and MME, i.e. NAS cryptographic key (KNASenc) or Integrity Key (KNASint).Here, KSI is identical with NAS KSI.KSI can be KSIASME or the KSISGSN value of using in switching situation.That is to say that KSIAME basic security identifier is used for discerning basic security key K ASME, and since NAS cryptographic key (KNASenc) or Integrity Key (KNASint) generate from basic security key K ASME, so KSI equals NAS KSI.Under the situation of the KSISGSN that the GERAN/UTRAN that from KSI is not KSIASME uses to the switching situation of the E-UTRAN of 3GPP LTE, KSIAME basic security identifier is the value relevant with K ' ASME that generates from cryptographic key (CK) and Integrity Key (IK), promptly by new authentication procedure or by be mapped to EPS SECURITY CONTEXT (EPS safe context) generation with key K ' value that ASME is relevant.Therefore, if in step 501, UE does not have the relevant value of available safety; particularly; the safe key that NAS KSI or NAS are relevant, i.e. NAS cryptographic key (KNASenc) or Integrity Key (KNASint), then UE sends the NAS message (513) that does not have safeguard protection.If UE has the relevant safe key of available NAS KSI or NAS, then UE determines whether to send the message of safeguard protection, and if UE do not want to send the message of safeguard protection, then program advances to step 513.
If want to send the message of safeguard protection, then UE uses KSI (key set identifier), parameters for authentication or authentication vector, NAS KSI (key set identifier) and safe key to generate NAS message, and sends NAS message.Next, UE receives the relevant parameter (507) of new safety that is used for MME.Here, the parameter that safety is relevant comprises KSI (key set identifier), parameters for authentication or authentication vector, NASKSI (key set identifier), NAS cryptographic key (KNASenc) or Integrity Key (KNASint).The parameter that such safety is relevant can obtain from MME by authentication procedure or safe mode command program.After execution in step 507, the relevant parameter of safety that the UE checking is new, be safe key, comprise KSI (key set identifier), parameters for authentication or authentication vector, NAS KSI (key set identifier), NAS cryptographic key (KNASenc) or Integrity Key (KNASint) (509).After proof procedure, UE uses the relevant parameter of new safety to generate and send NAS message (511).
Though describe one exemplary embodiment of the present invention in detail above, it should be clearly understood that, it will be apparent to one skilled in the art that, many variations of Jiao Dao basic inventive concept here and/or modification will drop in the spirit and scope of the present invention, and the spirit and scope of the present invention limit in claims.
Claims (16)
1. method that is used for handling in mobile communication system the state information of UE comprises:
At the UE place, to new MME transmit status conversion request message;
At new MME place, receive old key information from old MME; And
At new MME place, after using old key information analysis request message, send response message to UE.
2. the method for claim 1, wherein described old key information comprises KSIasme and Kaseme.
3. the method for claim 1 also comprises:
At new MME place, send the NAS Security Mode Command message that comprises the new key information that when explaining the request message failure, generates to UE; And
At the UE place, send the response of the NAS Security Mode Command message that generates for the new key information that utilizes UE to new MME.
4. method as claimed in claim 3, wherein, the new key information that is generated by new MME comprises NAS cryptographic key (KNASenc) and Integrity Key (KNAsint); The NAS Security Mode Command message comprises secure identifier (KSI), UE security capabilities, the cryptographic algorithm that will use and integral algorithm; And comprise cryptographic key (KNASenc) and the Integrity Key (KNASint) that generates based on basic security key (KASME) by the new key information that UE generates by secure identifier (KSI) index of NAS Security Mode Command message.
5. method as claimed in claim 3 also comprises: at new MME place, when utilizing old key to explain the request message failure, send user authentication request message, and reply this user authentication request message at the UE place.
6. method as claimed in claim 5, wherein, described user authentication request message comprises authentication vector (AUTN) and safe key identifier (KSIASME).
7. as any one described method in the claim 1,3 and 5, wherein, described state exchange request message is handoff request message, TAU request message and is connected in (disconnection) request message one.
8. method that is used for handling in mobile communication system the state information of UE comprises:
At the UE place, utilize new key to carry out the state exchange request message of safeguard protection to new MME transmission;
At new MME place, by sending user authentication request message, response status conversion request message to new MME;
At new MME place, generate new key, and have the NAS Security Mode Command message of new key to the UE transmission; And
At the UE place,, and reply the NAS Security Mode Command message based on the new new key of key information generation of new MME.
9. method as claimed in claim 8, wherein, the new key information that is generated by new MME comprises NAS cryptographic key (KNASenc) and Integrity Key (KNAsint); The NAS Security Mode Command message comprises secure identifier (KSI), UE security capabilities, the cryptographic algorithm that will use and integral algorithm; And comprise cryptographic key (KNASenc) and the Integrity Key (KNASint) that generates based on basic security key (KASME) by the new key information that UE generates by secure identifier (KSI) index of NAS Security Mode Command message.
10. method as claimed in claim 9, wherein, described user authentication request message comprises authentication vector (AUTN) and secure identifier (KSIASME).
11. one kind is used for handling the method for switching in mobile communication system, comprises:
At old MME place, send passing on of old key information to new MME and reorientate request message with UE;
At the UE place, utilize old key to carry out the TAU request message of safeguard protection to new MME transmission;
At new MME place, utilize old key to explain the TAU request message.
12. method as claimed in claim 11 also comprises:
At new MME place, when utilizing old key to explain the failure of TAU request message, send user authentication request message, and reply this user authentication request message at the UE place;
At new MME place, generate new key, and send the NAS Security Mode Command message that has about the information of new key to UE;
At the UE place, use the new key information of new MME to generate new key, and reply the NAS Security Mode Command message; And
At the UE place, send the TAU request message that utilizes new key to carry out safeguard protection to new MME, and utilize the described message of new key handling at new MME place.
13. a position method for updating that is used for handling in mobile communication system UE comprises:
At the UE place, utilize old key to carry out the TAU request message of safeguard protection to new MME transmission;
At new MME place,, and receive old key information to the old MME request information relevant with the old key of UE; And
At new MME place, utilize old key to explain the TAU request message, and accept message with the TAU that old key carries out safeguard protection to the UE transmission.
14. method as claimed in claim 13 also comprises:
At new MME place, when utilizing old key to explain the failure of TAU request message, send user authentication request message, and reply this user authentication request at the UE place;
Generate new key at new MME place, and send the NAS Security Mode Command message that has about the information of new key to UE;
At the UE place,, and reply the NAS Security Mode Command message based on the new new key of key information generation of new MME; And
Send the TAU request message that utilizes new key to carry out safeguard protection at the UE place to new MME, and utilize the described message of new key handling at new MME place.
15. a method that is used for handling in mobile communication system the login of UE comprises:
At the UE place, utilize old key to carry out the login request message of safeguard protection to new MME transmission;
At new MME place,, and receive old key information to the old MME request information relevant with the old key of UE; And
At new MME place, explain described login request message, and accept message to the login that the UE transmission utilizes old key to carry out safeguard protection.
16. method as claimed in claim 15 also comprises:
At new MME place, when utilizing old key to explain the login request message failure, send user authentication request message, and reply this user authentication request message;
At new MME place, generate new key, and send the NAS Security Mode Command message that has about the information of new key to UE;
At the UE place,, and reply the NAS Security Mode Command message based on the new new key of key information generation of new MME; And
At the UE place, send the login request message of utilizing new key to carry out safeguard protection to new MME, and utilize the described message of new key handling at new MME place.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| KR10-2008-0080205 | 2008-08-15 | ||
| KR20080080205 | 2008-08-15 | ||
| PCT/KR2009/004570 WO2010019020A2 (en) | 2008-08-15 | 2009-08-14 | Security protected non-access stratum protocol operation supporting method in a mobile telecommunication system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102187599A true CN102187599A (en) | 2011-09-14 |
| CN102187599B CN102187599B (en) | 2015-04-01 |
Family
ID=41669507
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200980140975.1A Active CN102187599B (en) | 2008-08-15 | 2009-08-14 | Security protected non-access stratum protocol operation supporting method in a mobile telecommunication system |
Country Status (6)
| Country | Link |
|---|---|
| US (1) | US8638936B2 (en) |
| EP (2) | EP3554113A1 (en) |
| JP (1) | JP5390611B2 (en) |
| KR (1) | KR101579757B1 (en) |
| CN (1) | CN102187599B (en) |
| WO (1) | WO2010019020A2 (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102572816A (en) * | 2011-12-27 | 2012-07-11 | 电信科学技术研究院 | Method and device for mobile switching |
| WO2013040962A1 (en) * | 2011-09-23 | 2013-03-28 | 电信科学技术研究院 | Data sending and receiving method and device |
| CN105578456A (en) * | 2014-10-14 | 2016-05-11 | 成都鼎桥通信技术有限公司 | End-to-end encryption method for TD-LTE cluster communication system, equipment, and system |
| CN108924841A (en) * | 2017-03-20 | 2018-11-30 | ***通信有限公司研究院 | Method for security protection, device, mobile terminal, base station and MME equipment |
| CN109586913A (en) * | 2017-09-28 | 2019-04-05 | ***通信有限公司研究院 | Safety certifying method, safety certification device, communication equipment and storage medium |
| CN110249584A (en) * | 2017-01-27 | 2019-09-17 | 三星电子株式会社 | For providing the method for End-to-End Security by signaling plane in task critical data communication system |
| CN113170369A (en) * | 2018-10-04 | 2021-07-23 | 诺基亚技术有限公司 | Method and apparatus for security context handling during an intersystem change |
Families Citing this family (42)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10341910B2 (en) | 2009-06-16 | 2019-07-02 | Blackberry Limited | Method for accessing a service unavailable through a network cell |
| US8861433B2 (en) | 2009-06-16 | 2014-10-14 | Blackberry Limited | Method for accessing a service unavailable through a network cell |
| ES2694393T3 (en) | 2009-06-16 | 2018-12-20 | Blackberry Limited | Method to access a service not available through a network cell |
| DE102009029828B4 (en) * | 2009-06-18 | 2011-09-01 | Gigaset Communications Gmbh | DEFAULT encryption |
| EP2567499B1 (en) | 2010-05-04 | 2016-10-26 | Qualcomm Incorporated | Shared circuit switched security context |
| WO2011152665A2 (en) * | 2010-06-01 | 2011-12-08 | Samsung Electronics Co., Ltd. | Method and system of securing group communication in a machine-to-machine communication environment |
| JP4892084B2 (en) * | 2010-06-16 | 2012-03-07 | 株式会社エヌ・ティ・ティ・ドコモ | Mobile communication method |
| KR101737425B1 (en) * | 2010-06-21 | 2017-05-18 | 삼성전자주식회사 | Mehthod and apparatus for managing security in a mobiel communication system supporting emergency call |
| KR101712865B1 (en) * | 2010-09-09 | 2017-03-08 | 삼성전자주식회사 | Communication supporting method and apparatus using non-access stratum protocol in mobile telecommunication system |
| US8929334B2 (en) | 2010-11-16 | 2015-01-06 | Qualcomm Incorporated | Systems and methods for non-optimized handoff |
| US8743828B2 (en) | 2010-11-16 | 2014-06-03 | Qualcomm Incorporated | Systems and methods for non-optimized handoff |
| EP3606001A1 (en) * | 2013-01-10 | 2020-02-05 | NEC Corporation | Mtc key management for key derivation at both ue and network |
| WO2015015714A1 (en) * | 2013-07-31 | 2015-02-05 | Nec Corporation | Devices and method for mtc group key management |
| CN104581652B (en) | 2013-10-15 | 2018-12-07 | 华为技术有限公司 | Message treatment method, the method and apparatus for selecting MME |
| US9955393B2 (en) * | 2014-05-08 | 2018-04-24 | Interdigital Patent Holdings, Inc. | Methods and apparatus for selection of dedicated core network |
| KR102102858B1 (en) * | 2014-05-13 | 2020-04-23 | 주식회사 케이티 | System with simplified authentication procedure when transitioning from WCDMA network into LTE network |
| US10104603B2 (en) | 2014-05-30 | 2018-10-16 | Nec Corporation | Apparatus, system and method for dedicated core network |
| US9693219B2 (en) | 2014-10-24 | 2017-06-27 | Ibasis, Inc. | User profile conversion to support roaming |
| US9585013B2 (en) * | 2014-10-29 | 2017-02-28 | Alcatel Lucent | Generation of multiple shared keys by user equipment and base station using key expansion multiplier |
| EP3547739A1 (en) * | 2015-02-13 | 2019-10-02 | NEC Corporation | Apparatus, system and method for security management |
| RU2017132104A (en) * | 2015-02-16 | 2019-03-18 | Нек Корпорейшн | COMMUNICATION SYSTEM, NODE DEVICE, COMMUNICATION TERMINAL, KEY CONTROL METHOD AND ENERGY INDEPENDENT READABLE COMPUTER READABLE MEDIA ON WHICH THE PROGRAM IS STORED |
| US9686675B2 (en) * | 2015-03-30 | 2017-06-20 | Netscout Systems Texas, Llc | Systems, methods and devices for deriving subscriber and device identifiers in a communication network |
| US9883385B2 (en) | 2015-09-15 | 2018-01-30 | Qualcomm Incorporated | Apparatus and method for mobility procedure involving mobility management entity relocation |
| US10334435B2 (en) | 2016-04-27 | 2019-06-25 | Qualcomm Incorporated | Enhanced non-access stratum security |
| EP3479614A4 (en) * | 2016-07-01 | 2019-11-27 | Nokia Technologies Oy | Secure communications |
| US20170013651A1 (en) * | 2016-09-22 | 2017-01-12 | Mediatek Singapore Pte. Ltd. | NAS Security And Handling Of Multiple Initial NAS Messages |
| JP6763435B2 (en) * | 2016-10-26 | 2020-09-30 | 日本電気株式会社 | Source core network nodes, terminals, and methods |
| EP3574669B1 (en) * | 2017-01-30 | 2021-10-13 | Telefonaktiebolaget LM Ericsson (Publ) | Security context handling in 5g during connected mode |
| CN109314861B (en) * | 2017-05-04 | 2021-09-07 | 华为技术有限公司 | Method, device and communication system for obtaining secret key |
| CN116866905A (en) * | 2017-09-27 | 2023-10-10 | 日本电气株式会社 | Communication terminal and method of communication terminal |
| CN109803333B (en) * | 2017-11-17 | 2022-04-19 | 中兴通讯股份有限公司 | Coupling redirection method and device |
| US10542428B2 (en) | 2017-11-20 | 2020-01-21 | Telefonaktiebolaget Lm Ericsson (Publ) | Security context handling in 5G during handover |
| CN110099382B (en) * | 2018-01-30 | 2020-12-18 | 华为技术有限公司 | Message protection method and device |
| KR102405412B1 (en) * | 2018-04-06 | 2022-06-07 | 삼성전자주식회사 | Apparatus and method for security of information in wireless communication |
| KR102425582B1 (en) * | 2018-05-11 | 2022-07-26 | 삼성전자주식회사 | Apparatus and method for security protection in wireless communication system |
| KR102449988B1 (en) * | 2018-06-29 | 2022-10-05 | 삼성전자주식회사 | Apparatus and method for data communication in wireless communication system |
| US11689920B2 (en) * | 2018-09-24 | 2023-06-27 | Nokia Technologies Oy | System and method for security protection of NAS messages |
| US20220338071A1 (en) * | 2019-09-25 | 2022-10-20 | Samsung Electronics Co., Ltd. | Method and device for performing communication in wireless communication system |
| CN110933669A (en) * | 2019-11-21 | 2020-03-27 | 北京长焜科技有限公司 | Method for quickly registering cross-RAT user |
| EP4064748A4 (en) * | 2019-12-13 | 2022-11-16 | Huawei Technologies Co., Ltd. | Communication method, apparatus and system |
| CN115362702A (en) * | 2020-04-07 | 2022-11-18 | 苹果公司 | Tracking Area Identifier (TAI) change during authentication request processing |
| KR102279293B1 (en) | 2020-08-07 | 2021-07-20 | 한국인터넷진흥원 | Method and apparatus for detecting null-ciphering channels |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070249352A1 (en) * | 2006-03-31 | 2007-10-25 | Samsung Electronics Co., Ltd. | System and method for optimizing authentication procedure during inter access system handovers |
| US20080025263A1 (en) * | 2006-06-16 | 2008-01-31 | Nokia Corporation | Apparatus and method for transferring PDP context information for a terminal in the case of intersystem handover |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR19990004237A (en) * | 1997-06-27 | 1999-01-15 | 김영환 | Apparatus and method for encrypting / decrypting data in asynchronous transmission mode network |
| FI111423B (en) * | 2000-11-28 | 2003-07-15 | Nokia Corp | A system for securing post-handover communications |
| US8127136B2 (en) * | 2004-08-25 | 2012-02-28 | Samsung Electronics Co., Ltd | Method for security association negotiation with extensible authentication protocol in wireless portable internet system |
| JP2009525681A (en) * | 2006-01-31 | 2009-07-09 | インターデイジタル テクノロジー コーポレーション | Method and system for performing cell update and RA (routing area) update procedures while a WTRU (Wireless Transmit Receive Unit) is in a standby state |
| GB0619409D0 (en) * | 2006-10-02 | 2006-11-08 | Vodafone Plc | Telecommunications networks |
| EP1914930A1 (en) * | 2006-10-17 | 2008-04-23 | Matsushita Electric Industrial Co., Ltd. | User plane entity selection in a mobile communication system having overlapping pool areas |
| CA2665452C (en) * | 2006-10-31 | 2016-01-05 | Qualcomm Incorporated | Inter-enode b handover procedure |
| FI20075297A0 (en) * | 2007-04-27 | 2007-04-27 | Nokia Siemens Networks Oy | Method, radio system and base station |
-
2009
- 2009-08-14 WO PCT/KR2009/004570 patent/WO2010019020A2/en active Application Filing
- 2009-08-14 EP EP19175614.7A patent/EP3554113A1/en not_active Ceased
- 2009-08-14 CN CN200980140975.1A patent/CN102187599B/en active Active
- 2009-08-14 KR KR1020090075379A patent/KR101579757B1/en active IP Right Grant
- 2009-08-14 EP EP09806882.8A patent/EP2315371A4/en not_active Ceased
- 2009-08-14 US US13/059,227 patent/US8638936B2/en active Active
- 2009-08-14 JP JP2011522916A patent/JP5390611B2/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070249352A1 (en) * | 2006-03-31 | 2007-10-25 | Samsung Electronics Co., Ltd. | System and method for optimizing authentication procedure during inter access system handovers |
| US20080025263A1 (en) * | 2006-06-16 | 2008-01-31 | Nokia Corporation | Apparatus and method for transferring PDP context information for a terminal in the case of intersystem handover |
Non-Patent Citations (1)
| Title |
|---|
| NOKIA 等: "《3GPP TSG SA WG3 Security — SA3#51》", 18 April 2008 * |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2013040962A1 (en) * | 2011-09-23 | 2013-03-28 | 电信科学技术研究院 | Data sending and receiving method and device |
| CN102572816A (en) * | 2011-12-27 | 2012-07-11 | 电信科学技术研究院 | Method and device for mobile switching |
| CN102572816B (en) * | 2011-12-27 | 2014-08-06 | 电信科学技术研究院 | Method and device for mobile switching |
| CN105578456A (en) * | 2014-10-14 | 2016-05-11 | 成都鼎桥通信技术有限公司 | End-to-end encryption method for TD-LTE cluster communication system, equipment, and system |
| CN105578456B (en) * | 2014-10-14 | 2019-01-25 | 成都鼎桥通信技术有限公司 | End to End Encryption method, equipment and the system of TD-LTE trunked communication system |
| US11770247B2 (en) | 2017-01-27 | 2023-09-26 | Samsung Electronics Co., Ltd. | Method for providing end-to-end security over signaling plane in mission critical data communication system |
| US11316678B2 (en) | 2017-01-27 | 2022-04-26 | Samsung Electronics Co., Ltd. | Method for providing end-to-end security over signaling plane in mission critical data communication system |
| CN110249584A (en) * | 2017-01-27 | 2019-09-17 | 三星电子株式会社 | For providing the method for End-to-End Security by signaling plane in task critical data communication system |
| CN110249584B (en) * | 2017-01-27 | 2022-04-19 | 三星电子株式会社 | Method for providing end-to-end security in mission critical data communication systems |
| CN108924841B (en) * | 2017-03-20 | 2021-11-19 | ***通信有限公司研究院 | Security protection method and device, mobile terminal, base station and MME (mobility management entity) equipment |
| CN108924841A (en) * | 2017-03-20 | 2018-11-30 | ***通信有限公司研究院 | Method for security protection, device, mobile terminal, base station and MME equipment |
| CN109586913B (en) * | 2017-09-28 | 2022-04-01 | ***通信有限公司研究院 | Security authentication method, security authentication device, communication device, and storage medium |
| CN109586913A (en) * | 2017-09-28 | 2019-04-05 | ***通信有限公司研究院 | Safety certifying method, safety certification device, communication equipment and storage medium |
| CN113170369A (en) * | 2018-10-04 | 2021-07-23 | 诺基亚技术有限公司 | Method and apparatus for security context handling during an intersystem change |
| CN113170369B (en) * | 2018-10-04 | 2024-06-14 | 诺基亚技术有限公司 | Method and apparatus for security context handling during intersystem changes |
Also Published As
| Publication number | Publication date |
|---|---|
| JP2012500511A (en) | 2012-01-05 |
| EP2315371A2 (en) | 2011-04-27 |
| US20110142239A1 (en) | 2011-06-16 |
| WO2010019020A3 (en) | 2010-07-22 |
| KR101579757B1 (en) | 2015-12-24 |
| US8638936B2 (en) | 2014-01-28 |
| EP3554113A1 (en) | 2019-10-16 |
| WO2010019020A9 (en) | 2010-09-10 |
| WO2010019020A2 (en) | 2010-02-18 |
| JP5390611B2 (en) | 2014-01-15 |
| KR20100021385A (en) | 2010-02-24 |
| CN102187599B (en) | 2015-04-01 |
| EP2315371A4 (en) | 2015-10-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102187599B (en) | Security protected non-access stratum protocol operation supporting method in a mobile telecommunication system | |
| KR100480258B1 (en) | Authentication method for fast hand over in wireless local area network | |
| KR101467780B1 (en) | Method for handover between heterogeneous radio access networks | |
| US7200383B2 (en) | Subscriber authentication for unlicensed mobile access signaling | |
| US8295488B2 (en) | Exchange of key material | |
| US10320754B2 (en) | Data transmission method and apparatus | |
| WO2005027559A1 (en) | Fast authentication method and apparatus for inter-domain handover | |
| CN101946535A (en) | System and method for performing handovers, or key management while performing handovers in a wireless communication system | |
| JP2009533932A (en) | Channel coupling mechanism based on parameter coupling in key derivation | |
| JP2018523950A (en) | Method and apparatus for direct communication key establishment | |
| KR20080086127A (en) | A method and apparatus of security and authentication for mobile telecommunication system | |
| US20200389788A1 (en) | Session Key Establishment | |
| KR101460680B1 (en) | Method for interworking among wireless technologies | |
| US8819778B2 (en) | Method and system for switching station in centralized WLAN when WPI is performed by access controller | |
| US20110002272A1 (en) | Communication apparatus and communication method | |
| Kim et al. | MoTH: mobile terminal handover security protocol for HUB switching based on 5G and beyond (5GB) P2MP backhaul environment | |
| WO2017171835A1 (en) | Key management for fast transitions | |
| CN1997212A (en) | Method for location update in the wireless communication network | |
| CN1997213B (en) | Method for security information acquisition of the switched target base station in the wireless communication system | |
| Zheng et al. | Handover keying and its uses | |
| Liu et al. | The untrusted handover security of the S-PMIPv6 on LTE-A | |
| CN110830996A (en) | Key updating method, network equipment and terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |